Breaking

ad

Post Top Ad

Tuesday, 27 February 2018

Advisory for Prestashop - Assigned CVE-2018-7491

While carrying out research I found out, that the Prestashop framework was not, by default preventing malicious UI-redressing or, Clickjacking attacks.

How common/prevalent is this vulnerability?

Almost all Prestashop instances don't prevent Clickjacking attacks. So attack surface is huge undoubtedly. This isn't a remote attack vector though, and hence, needs some user interaction. However, exploiting it is easy and the victim user hardly realises that (s)he had been subjected to an attack.

This is just a demonstration for various attack scenarios. But ever thought about how malicious this can turn into? Maybe, we aren't aware of it being exploited in the wild as of yet, users are often led into traps through various malicious advertisement campaigns, that take advantage of this type of vulnerabilites to make profit.

Impact

What does an attacker gain from it?

I would restrain myself from delving deeper into this part since countless Prestashop instances till date are vulnerable to this attack vector.

Example Scenarios -

Vertical Privilege escalation - Can we trap an administrator, or, staff of the Prestashop instance into clicking, and performing an unintended action that brings about a business loss, or, a profit to us, either ways it's a win-win for the attacker. The admin can be tricked into making unintended price cuts, add other users, change values and perform various harmful actions.

Lateral Privilege Escalation - From the user point of view, let's suppose a scenario in which a certain user is forced to change his account details from the account section, or, even worse, made to execute a self-XSS. Various attack vectors exist, not all are worth mentioning, but combining all these factors, we can achieve a malicious exploit chain to improve our post-exploit discovery attack methods.

Phishing - This can be done efficiently and extends into a wide array of attack vectors. User can find the Prestashop instance embedded in Iframe responsive and functioning as the original application would have to him. Thus, attacker can keylog victim's keystrokes, observe his browsing habits from a competitive e-commerce edge and so on...

Further, I can think of countless ways to exploit this. Should we go deeper? Yes! Because, for e-commerce applications security is of prime importance.